Bug#939890: buster-pu: package rpcbind/1.2.5-0.3+deb10u1

To: Sam Hartman <hartmans@debian.org>
Cc: Josue Ortega <josue@debian.org>, 939890@bugs.debian.org, "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#939890: buster-pu: package rpcbind/1.2.5-0.3+deb10u1
From: Sam Hartman <hartmans@debian.org>
Date: Mon, 09 Sep 2019 23:06:05 -0400
Message-id: <[🔎] tsl5zm04zqa.fsf@suchdamage.org>
Reply-to: Sam Hartman <hartmans@debian.org>, 939890@bugs.debian.org
In-reply-to: <[🔎] tsla7bc52gz.fsf@suchdamage.org> (Sam Hartman's message of "Mon, 09 Sep 2019 22:06:52 -0400")
References: <[🔎] 156805731668.7862.3594192859954452301.reportbug@Trillian> <[🔎] b3186c6cf86fcadf83716662510812fa91e97292.camel@adam-barratt.org.uk> <[🔎] 156805731668.7862.3594192859954452301.reportbug@Trillian> <[🔎] a6b0032d2e6051375f29970ab2dbd3f7@debian.org> <[🔎] tslv9u13si4.fsf@suchdamage.org> <[🔎] 20190910012607.GA32333@debian.org> <[🔎] tsla7bc52gz.fsf@suchdamage.org> <[🔎] 156805731668.7862.3594192859954452301.reportbug@Trillian>

>>>>> "Sam" == Sam Hartman <hartmans@debian.org> writes:

>>>>> "Josue" == Josue Ortega <josue@debian.org> writes:
    Josue> On Mon, Sep 09, 2019 at 08:27:31PM -0400, Sam Hartman wrote:
    >>> What are the security implications of enabling this configure
    >>> flag?
    Josue> Enabling this flag lets rpcbind to open random listening
    Josue> ports.  This would make firewalling very hard.  (Default
    Josue> behavior prior version 1.2.5)

    >>> Why is it off by default?
    Josue> Upstream set it off by default since they claimed about
    Josue> customers complaining about this behavior and supposedly it's
    Josue> not widely used.  Check [1] for more details.

    Josue> Debian users running NIS services in Buster have reported
    Josue> breakage in their system due the lack of the remote call
    Josue> functionality.

    Sam> For the stable release managers.  This change reverts a
    Sam> security feature introduced upstream designed to make rpcbind
    Sam> easier to firewall and reduce the attack surface of rpcbind.

FYI, I am *not* wearing my DPL hat in this conversation.
If anything I'm wearing my Kerberos maintainer hat, hoping that things
like nfs configured in a secure configuration remain secure.

Reply to:

References:
- Bug#939890: buster-pu: package rpcbind/1.2.5-0.3+deb10u1
  - From: Josue Ortega <josue@debian.org>
- Bug#939890: buster-pu: package rpcbind/1.2.5-0.3+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#939890: buster-pu: package rpcbind/1.2.5-0.3+deb10u1
  - From: Josue Ortega <josue@debian.org>
- Bug#939890: buster-pu: package rpcbind/1.2.5-0.3+deb10u1
  - From: Sam Hartman <hartmans@debian.org>
- Bug#939890: buster-pu: package rpcbind/1.2.5-0.3+deb10u1
  - From: Josue Ortega <josue@debian.org>
- Bug#939890: buster-pu: package rpcbind/1.2.5-0.3+deb10u1
  - From: Sam Hartman <hartmans@debian.org>

Prev by Date: Bug#939890: buster-pu: package rpcbind/1.2.5-0.3+deb10u1
Next by Date: Bug#939890: buster-pu: package rpcbind/1.2.5-0.3+deb10u1
Previous by thread: Bug#939890: buster-pu: package rpcbind/1.2.5-0.3+deb10u1
Next by thread: Bug#939890: buster-pu: package rpcbind/1.2.5-0.3+deb10u1
Index(es):
- Date
- Thread